I have a webapp that uses Forms Authentication using ActiveDirectoryMembershipProvider.
That works fine... users can do login successfully.
Once the user do login, he can change the password.
We use a ChangePassword control that retrieve the Membership information and uses the OLD and new password to change the user's password. THAT Doesn't work.
The Exception message thrown is that the password doesn't fits the password policies (Not the message of the provider, but the underlying COM object. But this is not the case, as going to the ActiveDirectory console and changing the password there do works. When using the ActiveDirectory console we used a quite simple password: "Password01".
The user in ActiveDirectory is set to Allow changing password. All our users are stored in a certain OU and the connection string to AD points to this OU also. Again, the connection is successfull as we can do Login.
Any other thing that can prevent us to change Password?
Exception information
System.Web.Security.MembershipPasswordException: The password supplied is invalid.
Passwords must conform to the password strength requirements configured for the default provider.
---> System.Runtime.InteropServices.COMException (0x800708C5): The password does not meet the password policy requirements. Check the minimum password length, password complexity and password history requirements. (Exception from HRESULT: 0x800708C5)
--- End of inner exception stack trace ---
at System.Web.Security.ActiveDirectoryMembershipProvider.ChangePassword(String username, String oldPassword, String newPassword)
at System.Web.Security.MembershipUser.ChangePassword(String oldPassword, String newPassword)
Well, sorry for the inconvenience...
The problem was that the Active Directory Administrator had set that you can wait a day before changing the password.
So, if we create a user... the USER must wait 1 day to change his password.
The Administrator can reset a password without this restriction.
Thanks for your comments.
When you configure the membership provider in the web.config there are several password related values that can be set, namely:
MinRequiredNonAlphanumericCharacters
MinRequiredPasswordLength
PasswordStrengthRegularExpression
I would first make sure that all of these are set to values which will match up with ActiveDirectory.
Next, make sure that the connectionProtection attribute is set to SignAndSeal, you cannot change passwords otherwise:
connectionProtection="SignAndSeal"
Besides those suggestions, I looked in Reflector and all the COM errors (except 0x7FF8FAD2) are being thrown straight up to the client. Error 0x800708C5 appears in the MSDN in several places but always with the text that password complexity is not sufficient.
Related
Can anyone tell me whether SilverStripe has a configuration option which can be enabled in order to force admin users to have to confirm their current password when they try to change their password?
I've just received results back from a security scan for a client project and one of the Medium-risk security issues flagged (to be fixed within 60 days) was the following:
Description
Observation:
Admin users are not required to enter their current password when changing their password.
Sample Affected URL:
http://yourdomain.com/admin/myprofile
** Screenshot:**
http://www.silverstripe.org/assets/Uploads/admin-myprofile.jpg
Impact:
A malicious user through the use of session hijacking, a man in the middle attack,
cross-site request forgery attacks or finding an unattended logged in session could
change an account password without knowing the current password. Also, when a user
cannot change their username or password, they cannot be proactive in guarding against
the user credentials being compromised.
Recommendation:
It is a best practice to allow a user to alter his username and password. Further, it
should require a user to provide his current password in conjunction with providing the
new password to revalidate the identity of the user.
Any help would be greatly appreciated. Thanks.
In the short term, you can use the DataExtension class to extend this functionality for the Member class without modifying the core. Have a look at this reference page.
I am running a ASP.net MVC 3 web application, and using the Membership Provider. I would like to know if its possible to allow the user (or administrator) to change an existing accounts username? I have not found a way to do this. The username is not an email address, but is validated on its uniqueness prior to my attempt at assigning the new name.
Any help would be appreciated!
The membership provider does not provide a method to update the username. You will either need to extend the membership providers UpdateUser method or directly interact with the membership tables to allow this change. However you approach this, keep in mind a few items
On update, you will need to check uniqueness of the username much like what happens when a user is created.
If the user is logged in and changes their username, you will either need to force them logout and log back in or reissue the AuthenticationTicket cookie. The reason being, if they change their username, then the authTicket cookie stored username and the actual username not longer match. If you use HttpContext.Identity.User.Name to query your datastore or check authorization to content, you will no longer return any results as that username no longer exists.
If the account does not have "user must change at next login" checked, I can change the password.
However, if the box is checked, I get a bad password error when I try to access the user.
LogOnUser() returns the correct error code so I know the user must change their password.
As Joe Kaplan says here (back in 2004), I can't bind to the user to be able to change their passwords.
It's the same issue whether using AccountManagement/PrincipalContext or DirectoryEntry/DirectorySearcher.
I did this on a project at my last position. Rather than to try to bind to the user with their own credentials, we set up an AD account with only the rights to make the password change.
So, once you have the error code indicating that the user must change their password, ask for the new password, grab the user as admin, and make the change.
As I recall, we had to pass the admin username and password explicitly to make it work, rather than relying on the credentials the code was running under.
For security, we stored an encrypted copy of the limited admin username and password in the registry, and decrypted it when we were making the call.
Code will be something like this:
PrincipalContext dc = new PrincipalContext(ContextType.Domain,
"www.yourdomain.com", "dc=yourdomain,dc=com",
ContextOptions.SimpleBind, "AdminUserName", "AdminPassword");
UserPrincipal usr = UserPrincipal.FindByIdentity(dc,
"UserWhoNeedsPasswordChanged");
usr.ChangePassword("oldPass", "newPass");
I am reading on form authentication in ASP.NET and cannot understand some moment:
James enters a username-password, they are saved in the db. A cookie from username is created, encrypted and attached to a response. As I understand then, when we get a request we need to recognise that cookie received are from James and so we can show his customised page.
What I would like to understand is how system will retrieve username form cookie and then load his info from db?
Forms Auth is storage agnostic. It doesn't have to use a database, indeed you can use it with usernames and passwords in web.config.
So what happens is
A user logs in.
The user is authenticated against the membership provider (which can use SQL, Active DIrectory, web.config, Oracle, MySQL, whatever)
A forms authentication token is created for the user, and is placed on the user machine via a cookie.
Each subsequent request reads the forms authentication token, and queries the provider to get the user details.
The user details are used to populate the user identity in the HttpContext and current thread for the request which is then available to your code to use.
In your code you can check the User property in the Page class (WebForms) or the User property in the controller class (MVC).
While you can get at it via the current thread, or the current context it's not advised, especially once you start using background tasks, where the identity may not propagate to the thread, or the context may change.
You'll note that nothing is stored in a database when the user logs in. It's all in the forms authentication token, and the work of retrieving the user from it's store on each request is done for you.
Afaik Forms Authentication does not store or load anything in any database. You can use a database to store the username and password, or you can put them in the web.config. How you store user credentials and validate them is up to you, and can happen separately from Forms Authentication.
Once you have validated a user (against database or some other logical storage), you use FormsAuthentication to write the authentication cookie. You do not need to worry about decrypting the cookie.
You can get the username from System.Threading.Thread.CurrentPrincipal.Identity.Name. To retrieve user's info from the database, you would query the database using the value if the principal identity name.
Response to comments
Right, you can use forms authentication with the membership provider, active directory, or your own custom user database. FormsAuth doesn't care about the password at all, unless it is stored in web.config (as noted in blowdart's more complete answer). It just writes the cookie, which is decrypted and used to create the thread identity automatically.
Additional Info
Even though this was marked as the answer, blowdart's response is much more complete. You really should not get the identity from the thread if you need it in an ASPX page or MVC controller, use the properties he referenced.
You get the username in your web form by calling User.Identity.Name, e.g. like this:
protected void Page_Load(object sender, EventArgs e)
{
string userName = User.Identity.Name;
}
ASP.NET interprets the cookie for you, you don't have to read it yourself. Or is your question how to store the user and password in the DB?
I am having an ASP.net page with userid and question and answer
I need to verify the userid, answer is correct or not
I no need to enablepasswordretrival
and my password is hashed
how to do
Are you using the ASP.NET membership provider? If so then the system will do that authentication for you, you just need to set the appropriate permissions in each folder's web.config in your web site. Just make sure that the folder containing the login form, registration form, etc (all the content that anonymous users can get to, and yes, login needs that as they are anonymous until they have actually logged in) is set to allow anonymous users.
You can't have password retrieval with hashed passwords as it's a trapdoor (i.e. one way) encryption and can't be reversed. The only option with hashed passwords is to issue a new password.